CVE-2026-52845 in caddy
Summary
by MITRE • 06/23/2026
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/23/2026
This vulnerability exists within the Caddy web server platform's handling of authentication headers, specifically affecting versions prior to 2.11.4. The issue stems from a flawed interaction between the forward_auth middleware and PHP FastCGI processing that creates a header normalization bypass. When Caddy processes requests through forward_auth middleware, it deletes the original client-supplied identity header before copying the trusted value from an authentication gateway. However, this deletion process only targets exact header matches and fails to account for alternative header representations that may be used by clients.
The technical flaw exploits the difference in how HTTP headers are processed across different components of the server stack. When requests pass through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by converting hyphens to underscores. This normalization process creates a scenario where a client can submit an underscore-based header alias that bypasses the forward_auth deletion step because it doesn't match the exact hyphenated header name being deleted. The normalized underscore version then gets processed by PHP/FastCGI applications, effectively allowing clients to inject or override identity and group headers that these applications trust.
The operational impact of this vulnerability is significant for web applications that rely on authenticated user context passed through HTTP headers. Remote attackers can manipulate authentication state in applications behind Caddy by submitting carefully crafted header variations that survive the initial deletion process but become equivalent to trusted headers after normalization. This creates a potential vector for privilege escalation, unauthorized access to protected resources, and session manipulation within applications that depend on proper identity headers for authorization decisions.
This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-120 (Buffer Overflow) categories, representing a specific implementation flaw in header handling that enables unauthorized data injection. The attack pattern follows ATT&CK techniques related to credential access through header manipulation and application layer attacks targeting authentication mechanisms. Organizations using Caddy with PHP applications should prioritize immediate patching to version 2.11.4 or later, implement additional monitoring for suspicious header variations, and consider deploying web application firewalls to detect anomalous header patterns that might indicate exploitation attempts.
The fix implemented in Caddy 2.11.4 addresses this issue by modifying the forward_auth middleware to properly handle header normalization across different processing stages, ensuring that both hyphenated and underscored variations of authentication headers are consistently managed during the deletion and copying process. This prevents the bypass scenario where client-controlled headers could survive the initial deletion step only to be normalized into equivalent trusted variables within PHP applications.